Slashdot Mirror
Microsoft Says Upgrade To IE8, Even Though It's Vulnerable
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
That does bring up a good question - given the huge numbers of IE 6 installs that persist (due to hordes of crap .NET programmers*), Microsoft not supporting IE6 is likely what would help drive Firefox (or Chrome, Safari, Opera, etc) adoption.
After all, if one cannot have IE6 and IE8 existing on the same machine at the same time, but IE6 on the Internet is the next best thing to suicide, then why not modify IT policy and the prebuilds so that IE6 is internal-only, while Firefox (or whatever else) becomes the browser of choice for public Internet use?
* note that this isn't a knock against the language itself, but against the fact that while it was widely adopted, it was widely implemented by a lot of programmers who had no business being programmers (at least w/ lower-level languages, bad code tends to die off or get re-written much quicker). Also, there's the fact that Microsoft has a lot of old baggage around that it can ill afford to simply stop supporting.
Quo usque tandem abutere, Nimbus, patientia nostra?
IE is used by corporations, and corporations do not want patches for patches for hotfixes and all that jazz, they expect the patch to be tested and corporations are the ones who wanted a monthly release for patches so the IT staff are not patching and testing patches all month long.
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Having radio button somewhere that makes your OS vulnerable to _KNOWN_ exploit is really stupid idea.
839*929
it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.
OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?
839*929
Sandboxing & virtualization of a sick browser is not a panacea. If the sandboxed application is compromised, it could still be controlled in its own domain and compromise cookies, passwords and anything else that it obtainable in its virtual space. It could still be used for malicious purposes, purposes that can could result in a knock on the door from the law.
Sandboxing and virtualization are sane for ANY application which is processing content from untrusted sources, regardless of whether you think them secure or not.
A hale and open sourced browser is the only safe way to go. Screw IE, any version.
Right, because FF hasn't had any major security holes. Open source does not mean secure. It means you can see the code.
Was it not the browser that would install keyloggers and dialers through the press of the [Enter] key as it would default on installation of any "signed" ActiveX, not matter how fucked up it was? Yes! Did these people have any idea of what was happening on the Internet? Yes! Fuckit, the said, system-browser integration is not debatable; Microsoft had their fun killing Netscape, now we have our fun watching them trying to fix the mess. (They wont).
Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy. I think the problem is that you're upset that, even with problems in MS software, people would STILL rather use it than your favorite OS.
Also, I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out? oh ya, it took way too long, they should have rushed it out without any kind of testing, like open source does.
How is this a troll? What he said is true.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
The road to tyranny has always been paved with claims of necessity.
WTF? First of all how do .NET programmers have anything to do with IE6 installs? Second - why pick on .NET and not on Java which came first or even Python and Ruby which claim to be even easier? Oh yeah... the first from Microsoft and the others are open source... And btw these programmers you are talking about would still be employed and would be doing much more damage if it was not for .NET and Java to keep them from producing billions of buffer overflows and memory leaks.
It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?
Isn't it past time that things changed?
Pain is merely failure leaving the body
(due to hordes of crap .NET programmers*)
You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.
I am TheRaven on Soylent News
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."
Even though you're being sarcastic, to an extent you're correct. It is the fault of corporate IT, not Microsoft, that IE6 and IE7 are in such wide use and being exploited, when everyone should already be running on IE8. It would be the same situation as if you had tons of people running Firefox 1.5 and refusing to upgrade because it would break something they're used to, despite being vulnerable to a series of known problems. In that situation it's not Mozilla's fault that their user base hasn't upgraded any more than it's Microsoft's fault now.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.
http://p8ste.com - Web based Clipboard
Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy.
Yes of course, the largest computer software company in the world should be given a hearty slap on the back for "coming a long way". I mean, they're only the standards that everyone else is following it's not like they matter.
If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.
Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration.
Ya, well then you're going out of your way to make yourself vunerable again. At which point, I'd have to ask... why did you bother to upgrade?
Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser even after said reconfiguration. Firefox, while vulnerable even in a default install, is free software. Firefox's destiny is in our collective hands. We decide how and when Firefox is fixed and we decide how thorough that fix is.
And to the average user, there is no differnce. They'll have to way for FF to update itself to get the patch as well, as they're waiting on the mozilla people to do so.
So while you're probably not a programmer
Actually I am.
, like most computer users, you have options with Firefox that you don't have with IE. You could learn to program and help fix Firefox's code. You stand virtually no chance of doing this with IE's code no matter how expert you become. It is of no help to look at this as though Firefox hackers are your workers so you can sit back and wait for them to deliver a fix ("I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out?").
Ya, in the real world, thats not going to happen. By the time the average user learned to progam, they'd be a new version of both IE and FF out already. As I explained, to the average user, there is no difference between FF and IE; either browser you're still at the mercy of a 3rd party for a patch.
Software freedom changes the game by giving you permission to control your computer; the more free software you run, the more control you have. Like with any other freedom how much of that permission you're willing to leverage is up to you
No, it doesn't. It puts users are the mercy of the OS community (which has an attitude "if you didn't pay for it you don't have a right to complain") instead of a company. But at the end of the day, its the same for them. Don't be delusional; people just want to USE their computers, not spend time learning to program to fix other people's software.